Starting with Resilio Connect v3.3.2, the Resilio Management Console supports sign in with Azure AD users with assigned local roles. Starting with v3.5.1 Azure API authorization is available for Resilio API.
1. Configure connection to Azure AD
2. Configure custom user Roles
3. Configure API integration with Azure AD
4. Peculiarities and limitations
Configure connection to Azure AD
1. Register an application in the Azure portal using this guide Register an application
Add this redirect URI:
https://mc_address:8443/login/azuread/redirect in the application. Be sure to use the correct mc_address.
2. Create the application roles using the guide Add app roles to your application and receive them in the token and assign the roles to users.
These values are supported:
view_only and stand for corresponding user roles on the MC. See below to configure custom user roles.
3. Check application's API permissions. Permission
user.read is required. It shall be granted automatically when creating the application. If it's not, click Add permissions ->Microsoft Graph -> Delegated permission -> type in user.read and select from Users section.
Additionally, it's possible to add e-mail claim, type ID, to Token Configuration in Azure. This will allow to configure e-mail notifications from MC for Azure AD users. Be sure to grant permissions.
Both these permissions shall appear in the list of API permissions for the application.
4. If you're planning to integrate with Resilio API, go to Expose an API and set "Application ID URI":
6. On the Resilio Management Console open Settings -> General -> Advanced and add
https://mc_address:8443 (same mc_address as in step 1) as "Management Console address".
7. Configure connection to the Azure AD. Open MC settings -> General -> Azure AD Authentication
Enter the the connection information
Client ID: is the "Application (client) ID" from the created application
Client secret: is the Secret from "Certificates and secrets" menu.
Management Console does not validate the fields and does not test connection to the endpoint though.
Once the Azure AD connection is configured, option to sigh in with Azure AD will appear on the login screen.
A logged in Azure AD user will appear in the list of MC users. Such users cannot be edited from MC.
Configuring custom user roles
Custom roles also work, but are not guaranteed for all the roles. Custom role name must be all lowercase with spaces replaced with underscore. Single-word roles are not supported.
1. Create a custom user group on the Management Console, for example Test Group.
2. Transform its name: replace spaces with underscore (_) and make all letters lower case. In the example it will be test_group
3. Create a role with such value on the Azure AD and assign it on the users.
The logged in user will appear in the corresponding group on MC.
Configure API integration with Azure AD
Starting with Resilio Connect v3.5.1 Azure API authentication can be used for MC API. Follow the steps below to configure it.
1. Register an application as instructed above. Ensure that API URI is set in "Expose an API" for that application.
2. On the Management Console go to settings -> General -> Azure AD configuration. Select option "Use Azure AD Authentication for API" (API integration is not dependent on authentication for users and can be configured separately).
Client ID: taken from the details of the registered application.
Tenant ID: tenant of the registered application.
OpenID URI: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration (see details for API token version below, you might need to remove v2.0).
3. Register a new application - API client daemon that will be calling the Resilio API. The client API app must be in same tenant as the main application. Leave redirect URI empty.
4. Go to "Expose an API" menu and set API URI
5. Go to API permissions -> Add a permission > My APIs Select the main application and one of the groups - super_administrator, administrator or view_only - from the groups created in the main application. That will be the access level that will be used when calling API.
6. Go to Certificates and secrets - > create new client secret. Give it some name and copy its value right away as it will be unavailable for copying later.
7. Recheck the supported token version. By default Resilio Connect supports token versions 1 and 2. Check with the main applications's manifest which of the versions is used, parameter
accessTokenAcceptedVersion, see here for more details.
If version 1 is only supported, remove 'v2.0' from OpenID URI in the Management Console in Azure AD configuration.
8. Generate the token itself. It's possible to use any well know script or tool to generate it. Else, use the simple flow from Microsoft Access token request with a shared secret. Replace the parameters from example as follows:
client_id = id from the API client application.
scope = API URI from the main application with
/.default prefix. Don't forget to encode symbols in the URI, for example
scope=api%3A%2F%2F2e9f....%2F.default If token v1.0 is used,
api:// shall not be added to the scope.
client_secret = is the secret value from the API client application.
requested URL - be sure to put the valid tenant ID. If token v1.0 is used, remove
v2.0 from the URL.
You shall receive a JWT token.
9. Use the generated token to make API calls to the Management Console. Put the token in the header "Authorization: Bearer token".
Peculiarities and limitations:
Management Console does not validate the configured connection and does not test connection to the endpoint.
Only these roles are officially supported:
view_only. Custom roles also work, but are not guaranteed for all the roles. Custom role name need to be all lowercase with spaces replaced with underscore.
Azure AD user will be forcibly logged out from MC if its role is changed on Azure AD.